我正在努力锻炼自己做错了的事情。我有2个帐户:
帐户A-11111111111
帐户B-22222222222
帐户A是我们的登录帐户,其中包含所有用户详细信息帐户B是我们的产品帐户。
我想在帐户B中运行我的Lambda,并报告帐户A中的数据。当前,当我运行Lambda时,出现以下错误:
An error occurred (AccessDenied) when calling the ListUsers operation: User: arn:aws:sts::2222222222:assumed-role/svc_pct_iam_lambda_role/unusedaccount_lambda_function is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::2222222222:user/: ClientError
我认为的错误是,它在运行lambda的帐户中使用当前BotoClient,而不是在我允许访问的位置。因此它是在查询帐户222222222,而不是1111111
帐户A具有以下角色和政策
resource "aws_iam_role" "svc_pct_iam_lambda_role" {
name = "svc_pct_iam_lambda_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "svc_pct_iam_lambda_access_policy" {
name = "svc_pct_iam_lambda_access_policy"
role = "${aws_iam_role.svc_pct_iam_lambda_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::2222222222:role/svc_pct_iam_lambda_role"
}
]
}
EOF
}
resource "aws_iam_policy" "svc_pct_iam_lambda_policy" {
name = "svc_pct_iam_lambda_policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"SNS:Publish",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:ListGroupsForUser"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "role-attach-svc-pct-iam-lambda-role" {
role = "${aws_iam_role.svc_pct_iam_lambda_role.name}"
policy_arn = "${aws_iam_policy.svc_pct_iam_lambda_policy.arn}"
}
Lambda所在的帐户B中的策略是:
"resource "aws_iam_role" "svc_pct_iam_lambda_role" {
name = "svc_pct_iam_lambda_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "svc_pct_iam_lambda_policy" {
name = "svc_pct_iam_lambda_policy"
role = "${aws_iam_role.svc_pct_iam_lambda_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::1111111111:role/svc_pct_iam_lambda_role"
}
]
}
EOF
}
lambda是
import boto3
import datetime
from dateutil.tz import tzutc
def lambda_handler(context,event):
resource = boto3.resource('iam')
client = boto3.client("iam")
today = datetime.datetime.now()
for user in resource.users.all():
if user.password_last_used is not None:
delta = (today - user.password_last_used.replace(tzinfo=None)).days
if delta >= 60:
print("Username: ",[user.user_name], delta)
为了使AWS Lambda函数能够访问帐户A中的资源,它需要承担IAM角色从帐户A中进行。
因此,它将:
AssumeRole()
这里是Switching to an IAM Role (AWS API) - AWS Identity and Access Management的一些示例代码:
import boto3
# create an STS client object that represents a live connection to the STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role ARN and a role session name.
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",
RoleSessionName="AssumeRoleSession1"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
s3_resource=boto3.resource(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
# Use the Amazon S3 resource object that is now configured with the
# credentials to access your S3 buckets.
for bucket in s3_resource.buckets.all():
print(bucket.name)